In 1999, the specification 802.11b was published by the IEEE for Wireless Local Area Network (WLAN) access at rates of 11 Mbps. This standard has become widely supported by the industry and has a huge installed base in enterprise companies, as well as publicly accessible hot spots such as airports, hotels, cafes and so on.
This specification 802.11b offers to some extent authentication and access control mechanisms as well as confidentiality, but only in the wireless path. In this respect, two authentication methods are defined in this standard, namely “Open System” and “Shared Key”.
When the Open System is used, a WLAN card in the Terminal Equipment (TE) announces that it wants to associate to a WLAN Access Point (hereinafter abbreviated as AP). No authentication is performed and only some basic access control mechanisms are used like, for instance, Media Access Control (MAC) filters and Service Set Identifiers (SSID).
These MAC filters are arranged for working so that only WLAN cards whose MAC address belongs to a list kept by the AP, such as an Access Control List (ACL), are allowed to associate to the AP. This access control mechanism has a limited utility, since the identity of the entity trying to associate does not actually belong to a user, but rather to the equipment itself. If a terminal or card is stolen, there is no user-based authentication to prevent access to the resources by the stolen equipment. Furthermore, as the MAC addresses of the WLAN card always appear in the headers of the WLAN frames, MAC-address spoofing is a trivial attack. This is of a special relevance since most of the WLAN cards in the market can change its MAC address just by using software means.
The other access control mechanism is the aforementioned Service Set Identifier (SSID), which is an alphanumeric code that identifies the instance of the WLAN that the Terminal Equipment (TE) is trying to associate. A given AP only allows the association of WLAN cards that provide a right SSID. However, as this identifier is usually broadcast by the AP's, and even without changing the default value set by the vendor, this access control mechanism is, again, rather useless since a plurality of well known attacks may occur.
A second authentication method mentioned above is the so-called Shared Key. This procedure is embedded in a basic confidentiality mechanism provided by the Wired Equivalent Privacy (WEP) standard, which is a symmetric encryption algorithm based on RC4. The authentication as such is performed by using a challenge-response mechanism in which both parties, the WLAN card and the AP, show to own a same key. However, this key is installed and stored in the Terminal Equipment (TE), and hence it suffers from the same disadvantages as described when talking about MAC filters.
Moreover, a number of recently published papers have shown the fundamental flaws of the privacy mechanism itself, that is, the flaws of WEP standards. Those flaws begin with the use of static WEP keys, what allows an attacker to find out the keys themselves, since the initialisation vectors of the algorithms are sent in the clear within the WEP frame. A number of passive attacks, like for example a WLAN card that only sniffs the traffic, allow also to deduce the keys.
At the beginning, it seemed that just by refreshing the keys with a better key management, and by increasing their length, for example from 40 to 128 bits, the algorithm could be safer or, at least, safe enough to achieve an acceptable security. However, more and more recent reports have proven that the algorithm design as such cannot provide an acceptable security level.
Nowadays, efforts are made by the industry and representative for a to solve the flaws in the presently applicable standards. The IEEE is currently defining a new standard to improve the authentication mechanisms of the existing 802.11b, and the results may be published as a so-called 802.1x standard, a “Port-Based Network Access Control”, but this work is not finished yet. Moreover, this approach only takes into account authentication, so that a proper confidentiality algorithm is still needed. In this respect, current trends suggest that a protocol based in the so-called Advanced Encryption System (AES) protocol may replace WEP. Nevertheless, the port-based authentication mechanism as suggested in 802.1x has a significant impact on the TE operating system and in the AP's applicable software, since 802.1x just seeks a replacement for the authentication mechanism based on WEP, and the WEP itself.
In a short term, a massive adoption of this new standard 802.1x, with the still unresolved flaws above, will lead to new investments in WLAN equipment, since all the AP's of a given WLAN would have to be replaced or, at least, upgraded. Additionally, and somewhat obvious, any WLAN confidentiality mechanism only provides protection on the wireless path, that is, between the WLAN card and the AP. However, the corresponding Ethernet traffic beyond the AP is not encrypted at all.
It is therefore an object at this stage to provide means and methods for allowing an effective authentication mechanism of WLAN users as well as a complete encryption mechanism throughout the whole communication path starting from the Terminal Equipment of said users.